Description
A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.
Published: 2026-06-06
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the OneDev Pull Request Handler’s canAccessIssue function allows an attacker to manipulate the issue argument, resulting in improper authorization. The vulnerability can grant read or potentially edit access to issues that a user should not be able to view, weakening confidentiality and integrity of project data. It is a typical authorization bypass flaw identified as CWE‑266 and CWE‑285.

Affected Systems

OneDev, versions up to and including 15.0.5 are affected. The updated release, OneDev 15.0.6, contains a fix that restores proper access checks. Any deployment running a vulnerable version is at risk until patched.

Risk and Exploitability

The CVSS base score of 5.3 places this vulnerability in the medium‑severity range, indicating a non‑critical but meaningful risk. No EPSS score is currently reported, and the issue is not listed in the CISA KEV catalog, so publicly available exploitation data is not known. Attackers can launch the exploit remotely by supplying a crafted issue identifier to the vulnerable endpoint; no local privilege or physical access is required.

Generated by OpenCVE AI on June 6, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade your OneDev server to version 15.0.6 or later to apply the vendor’s fix for the canAccessIssue authorization problem.
  • Verify that role‑based access controls for issue viewing are correctly configured, ensuring that only authorized users can query or modify issues.
  • Enable detailed logging and monitoring for issue‑access attempts to detect any unauthorized activity after remediation.

Generated by OpenCVE AI on June 6, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.
Title theonedev Pull Request issues canAccessIssue improper authorization
First Time appeared Theonedev
Theonedev onedev
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*
Vendors & Products Theonedev
Theonedev onedev
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Theonedev Onedev
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-06T17:45:10.650Z

Reserved: 2026-06-05T22:21:08.343Z

Link: CVE-2026-11441

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T18:16:53.443

Modified: 2026-06-06T18:16:53.443

Link: CVE-2026-11441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T20:00:16Z

Weaknesses